The tweet mentions completing the Farewell room on TryHackMe, which involves using red teaming techniques to bypass a WAF in order to obtain admin access to a web application. Unfortunately, no specific payload or WAF vendor is provided in the tweet, so it's unclear which exact bypass method was used or what the technical details are.
However, generally, red teaming techniques to bypass WAFs often involve finding ways to evade detection by manipulating the payload format, encoding, or using uncommon HTTP methods or headers. This can help bypass filters that rely on signature-based or rule-based detection mechanisms in Web Application Firewalls.
For those interested in gaining practical experience, TryHackMe's Farewell room is a valuable exercise for learning real-world web application security and how attackers might circumvent protections like WAFs to achieve higher access levels, such as admin rights.
If you want to try this yourself, consider experimenting with payload obfuscation, parameter pollution, alternate encodings (like URL encoding, Base64), or chaining multiple vulnerabilities post-WAF bypass. Always perform such tests in a legal and ethical manner, such as on controlled platforms like TryHackMe.
Original tweet: https://twitter.com/benhjt/status/1999399412179829070